Header Ads

Lizard Squad hacked thousands of CCTV to attack websites with as much as 400Gbps of Data

Security researchers at Arbor Networks have discovered that the outfit compromised several thousand closed-circuit cameras and webcams to create a botnet that it promptly used for denial of service attacks against bank, gaming sites, governments and internet providers. Each device might not be as individually powerful as a PC, but they add up -- some attacks flooded sites with as much as 400Gbps of data.

LizardStresser is a botnet originally written by the infamous Lizard Squad DDoS group. The source code was released publicly in early 2015, an act that encouraged aspiring DDoS actors to build their own botnets. Arbor Networks’ ASERT group has been tracking LizardStresser activity and observed two disturbing trends:
  • The number of unique LizardStresser command-and-control (C2) sites has been steadily increasing throughout 2016.
  • A set of threat actors behind LizardStresser have focused on targeting Internet of Things (IOT) devices using default passwords that are shared amongst entire device classes.

LizardStresser is a DDoS botnet written in C and designed to run on Linux. The code consists of two halves – a client and server. The client is designed to run on compromised Linux machines which connect to a hardcoded C2 server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands, listed below.
  • The ability to launch a DDoS attack using a variety of attack methods:
  1.            HOLD – holds open TCP connections.
  2.            JUNK – send a random string of junk characters to a TCP port.
  3.            UDP – send a random string of junk characters to a UDP port.
  4.            TCP – repeatedly send TCP packets with the specified flags.
  • A mechanism to run arbitrary shell commands. Useful for downloading updated versions of LizardStresser with new C2s, or entirely different malware.
  • Propogation via telnet brute forcing. Clients connect to random IP addresses and attempt to login via telnet using a list of hard-coded usernames and passwords. Successful logins are reported back to the C2 for later assimilation into the botnet.
LizardStresser is extremely simple to compile and run.  Samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IOT devices.

As to the reasons for infiltrating these cameras? Simply put, they're easy targets. The cams tend to run minimal versions of common platforms like Linux, with relatively little built-in security (in part due to the limited hardware) and reused login details. Combine that with buyers who seldom install patches and it's frequently just a matter of finding the cameras to install malware.

Almost 90% of the hosts that responded had an HTML title of “NETSurveillance WEB”.

Doing some more research, the NETSurveillance WEB interface appears to be generic code used by a variety of Internet-accessible webcams. A default password for the root user is available online, and telnet is enabled by default.

The telnet brute-forcing capability of LizardStresser attempts to login to random IP addresses with a hard-coded list of usernames and passwords. The publicly available version of LizardStresser has the usernames and passwords listed in Figure 2.

I , myself sometimes playing around with Free Angry IP scanner, it can scan a range and check open port like telnet , ssh, https and http.

The findings underscore the problems with security in the internet of things. When seemingly every device is connected, it's that much harder to keep everything up to date -- and that's assuming that hardware makers are committed to updates in the first place. These kinds of attacks may be commonplace until gadgets are more secure. 

Mean while ; In the Philippines , Two of the country’s leading telecommunications companies agreed to establish a bilateral internet protocol (IP) peering agreement to improve the Philippines’  internet service.

Under a memorandum of agreement (MOA), PLDT Inc. and Globe Telecom Inc. have agreed to use a bilateral internet protocol peering system. It will allow the direct local exchange of traffic between PLDT's Philippine Internet Exchange (PhIX) and Globe Internet Exchange (GIX) that is allotted to each other's own broadband and mobile customers.

Last year, Six British teenagers arrested and released on bail on suspicion of launching cyber attacks on websites and services with the help of Lizard Squad DDoS attack tool, called Lizard Stresser. The six teens, arrested by the National Crime Agency, are accused of using Lizard Stresser DDoS tool to launch cyber attacks against a school, a national newspaper, gaming companies and a number of online retailers.

source: Arbornetworks,

No comments

blogmytuts. Powered by Blogger.